Is this cross site scripting or something different?

by John   Last Updated September 12, 2017 22:04 PM

This was on a website I had to work on. It seems to me its a horrible idea, but I was hoping to get other input before I told them it was.

var url = ''; 
document.write('<script>jQuery( "#div" ).load( "' + url + '" );<\/script>’);

The document.write happens on a domain different than, so I am under the impression this is a cross-site scripting hole that they have created. My concerns were XSS and access to cookies, can anyone else help me understand any issues other than those and using document.write & load is bad. Thanks!

Related Questions

Is CORS required for SEO?

Updated December 05, 2017 12:04 PM

I have this Cross-Origin Font Issue with Chrome

Updated May 30, 2017 15:04 PM